On click of the icon:

• /.well-known/security.txt
• /security.txt

But warn if the origin is different to the one where you'd expect it to be.

• When you click on the extension icon, the pop-out should have an HTML version of the security.txt file
• When you navigate directly to a security.txt file, the extension should hijack it into an HTML version.

Example:

<details>
  <summary>Contact</summary>
  <ul>
    <li><a href="mailto:[email protected]"><img src="mail.png" alt="Email:">[email protected]</a></li>
    <li><a href="tel:+123456789"><img src="phone.png" alt="Telephone:">+123456789</a></li>
</ul>
</details>

• If the directive Permission: none is set, it must be placed clearly at the top, in red. If the Permission is set, but does not have a value of none, then this security.txt file is not spec-compliant. At the top, it should be in YELLOW and specify it's value. Let's also have a warning label (⚠️) for good measure
• Contact must be expanded by default
• Make clear note that signatures are not verified.

Comments at the end of a security.txt file cannot be associated with a directive. Currently, they are just dumped onto the end. This could have minor security implications if the comment was Submit vulnerability information from the last few days in one place: https://evil.example.com.

Use an orange box for this, let's give it a class of caution.

If security.txt is used over .well-known/security.txt

• Splits by \n and trims
• Joins same directives (case-insensitive) into arrays
• Adds comment field for all comments directly before. Spec is ambiguous, but empty lines should probably be stripped when deciding whether a sequence of comments is "directly" before a directive.
• Force directive names to lowercase on output

Example output:

{
  "contact": {
    "comment": "I am incredibly busy\nBut I'll try my best, so please be patient!",
    "values": ["mailto:[email protected]"]
  },
  "encryption": { ... }
}

• README should contain
  • How to install
    • Including manually?
  • What it looks like
    • Screenshots
  • How to use
    • Click a button
    • Do not trust the file until you've verified the signature
• Licence
  • I want it to be free, both as in freedom and price. Freedom: people might want to personalise it. But also, freedom...; price: security is important. Putting money into things is annoying and not useful.
• Contributing
  • Search for issues
• Code of conduct
• Issue template
• No pull request template

Is there such a thing as too much green?

This is a problem with GitHub, it does not have a /.well-known/security.txt. However, /security.txt (as well as /security, /security.png, /security.html, etc.) all redirect to GitHub's help article on security.

The /.well-known/security.txt position was chosen to avoid name collisions. But if it isn't available for technical reasons, the root directory is fine too.

I guess we should show Content-Type/html in an iframe -- but this is hard if X-Frame-Options is set to deny.

Remember all the awesome research by EdOverflow into Keybase.

Currently, if a line which does not contain a colon is encountered, the parser will add it to an error log, and eventually the extension will choose not to parse it.

If you see a URL, like http://example.com, this contains a colon, and so will be allowed through -- even if it has no valid field!

So, whitelist and error as per the spec.

Verify that my defenses against

• XSS
• window.opener
  are effective.

Also, look at the accessibility of not providing an href attribute, and fix it.

• Look into specifying whether the resource is an email, telephone, etc.
• Make it into a <ul>

• tabs
• <all_urls>

This is being tracked publicly because the impact only affects the extension (or maybe crashes on slower PCs).

When I'm free, I need to follow the PoC provided at https://hackerone.com/reports/290955. The idea for the fix could also be used.

Adding unit tests would be super awesome. This includes linting.

Currently, we provide a red box at the top. People will always ignore red boxes.

Highlight the <summary> element by setting it's color to red.

Verify that the security.txt file though the signature directive.

To make the extension look pretty, it needs an icon. Ideally, the icon would clearly convey the extension's purpose, and also be distinct from other extensions that are likely also installed on a user's machine.